Lawmakers Add 48-Hour Rule to Data Breach Notification Bills

U.S. Sens. Jay Rockefeller and Mark Pryor joined U.S. Rep. Mary Bono Mack in filing legislation that requires companies to notify customers about data breaches within 48 hours of when an incident assessment is completed.

Two draft versions of data breach bills
were introduced in Congress: one by U.S. Rep. Mary Bono Mack, R-Calif., and the
other by Sens. John Rockefeller, D-W.Va., chair of the Senate Commerce
Committee, and Sen. Mark Pryor, D-Ark.
The Bono Mack draft bill would require
companies to notify the Federal Trade Commission and law enforcement within 48
hours and to begin notifying customers within 48 hours of when an incident
assessment is completed, Bono Mack said June 15. The Rockefeller-Pryor bill,
introduced the same day, would also require companies to safeguard sensitive data and inform customers in
a timely manner in the case of a breach.

"If companies are going to collect
and store consumers' personal information, safeguarding that information should
be priority No. 1," said Pryor, noting that many companies have recently
been hacked. "We need to pass strong security and notification standards
before this problem spins further out of control," Pryor said.

The bills come shortly after lawmakers
and consumers bitterly berated Sony for taking so long to disclose a massive
data breach in its PlayStation Network and related entertainment sites. Recent
reports revealed that Citigroup also sat upon a data breach incident
for at least three weeks.
At the House hearing, other lawmakers
expressed concern that allowing companies to wait until the assessment is
complete would result in stalling tactics. Mack said she is
willing to discuss a certain "drop-dead" time, such as 60 days, within which
companies have to report the breach. Organizations being too slow would face
penalties from the Federal Trade Commission.
The Bono Mack bill could result in
scenarios similar to what happened to Sony. Rep. Henry Waxman, D-Calif., noted
that if this bill were law, Sony would still not be required to notify
customers about the breach, since it is still in the process of assessing the
data breach. Sony was hacked in mid-April.
Bono Mack, chairman of the House
Subcommittee on Commerce, Manufacturing and Trade, called her bill "our
opening shot." Her Secure and Fortify Electronic Data bill closely tracks
the bills from Energy and Commerce committees, but the class of companies
subject to the law is much wider, including third-party data holders such as
"contracted cloud providers." Bono Mack also gave the FTC authority over nonprofit
organizations, noting that they often posses "a tremendous amount" of consumer
information.
Under the rule, companies would be
required to erase personal data as soon as it's not being used, eliminating the
possibility of having it stolen in an attack. Companies would not have to
notify law enforcement of the intrusion within 48 hours if the breach "is
determined to be inadvertent" or would be unlikely to "result in harm,"
according to the draft.
"The consequences of data breaches
can be grave: identity theft, depleted savings accounts, a ruined credit score,
and trouble getting loans for cars, homes and children's education," said
Rockefeller.
The Rockefeller-Pryor bill would
require businesses that store personal information to establish reasonable
security policies and procedures to protect data.
"Companies that maintain vast
amounts of consumer information need to have effective safeguards in place to
keep sensitive consumer information secure," Rockefeller said.